Shady Software?

By

Iowa State University has hundreds of recognized student organizations, from Cy's Gluten Free Friends to a glassblowing club, but Nikolas S. Kinkel couldn't find one where members discussed free speech in the digital age. Yet when he last month presented plans for the Digital Freedom Group to the Student Organization Recognition Board, it hesitated to give the club its stamp of approval.

The proposed group wanted to educate others on online anonymity software such as Tor, which complicates online surveillance by hiding its users among one another -- could that violate university policy?

“This is problematic for IT professionals at Iowa State University who are charged with monitoring activity on the university's network,” the board said in a follow-up email sent to Kinkel after the presentation. “If ISU Digital Freedom Group is willing to modify its description and its constitution stating that it will not use tor nodes or free software designed to enable online anonymity, we may reconsider.”

Kinkel, a software engineering and math major, said the Digital Freedom Group never planned to establish a Tor relay on campus -- only to include the idea in a larger discussion about privacy software.

“We completely understand the desire to safeguard and protect the integrity of the university network,” Kinkel said in an email. “However the admonition not to discuss or be involved with certain legal, ethical, and important free software projects was, we felt, misguided.”

Forming a student organization at Iowa State is a mostly automated process of signature-collecting and constitution-writing guided by a university staffer, then a last step involving a review by the Student Organization Recognition Board. Since that meeting represents the university's “one chance” to review the more than 800 student organizations on campus, the request for more information was a proactive move, said George Micalone, director of student activities.

“Essentially we just wanted clarification if [the] use of tor nodes would have any impact on the ISU networks or policies related to activity on our networks,” Micalone said in an email.

It is simple to see why the board took issue with the group’s plans. Iowa State lists “Engaging in activities intended to hide the user's identity” as an unacceptable system and network activity, but university CIO Jim Davis said the policy is meant to cover online impersonation scams, not forbid privacy.

The board never actually rejected the Digital Freedom Group's application, Micalone said, and once Iowa State's university counsel and information officers confirmed the group was following state and federal law, the board approved it.

“It was a pretty straightforward discussion,” Davis said, adding there is actually nothing in the IT policies that prevent the group from creating a Tor relay. “We want students to experiment with things as long as they're good neighbors with everyone else and not doing anything illegal.”

Anonymity and Criminality

From Snowden to Silk Road, 2013's headlines have been dominated by exposés of the dark corners of the Internet.

Tor and other forms of anonymity software are legal, though the same can't be said for some of the activities they enable. The online black market Silk Road, where users were free to bid on hard drugs, assassination contracts and weapons, ran as a Tor “hidden service” -- an anonymous website. Silk Road was seized by the FBI in October.

As documented by Edward Snowden, the National Security Administration leaker, the spy agency has targeted Tor and its users for years.

Tracy Mitrano, director of IT policy at Cornell University, said those stories have created a backdrop for higher education to examine where human rights and technologies issues intersect.

“[I]n the aftermath of 9/11 especially, the notion that people don't care if governments are snooping unless they have something to hide has not only created an unfortunate and incorrect association between anonymity and criminality, but it has diminished an understanding of how much more with digital technologies our lives are tracked and what entities, governmental and private corporations, do or can do with that information,” Mitrano, who also blogs for Inside Higher Ed, said in an email. “In short, that association diminishes the fundamental human value, and right, of privacy for personal autonomy.”

Micalone declined to say whether he media coverage of those cases has influenced how the recognition board viewed a growing interest in online anonymity on campus. Davis, formerly an associate professor of electrical and computer engineering, said “It’s a great topic for people to dive into.”

Kinkel said he felt the process of gaining recognition for the Digital Freedom Group was motivated by a fear that the group would violate university policies, but also by a lack of understanding about online anonymity and the other topics the group would discuss.

“I think this is actually reflective of some disturbing trends in modern society (at least here in the Midwest): Surveillance is becoming so commonplace and integrated into daily life that the mere suggestion of educating ordinary computer users about popular tools and techniques to protect privacy can be seen by some as potentially dangerous and disruptive,” Kinkel wrote.

The university's follow-up email's description of Tor (“Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than four thousand relays”) is also taken verbatim from the software's Wikipedia entry. Micalone said he did not write the letter, and that he did not know where the description came from.

As the Digital Freedom Group’s status was pending, Kinkel contacted the Electronic Frontier Foundation, a digital rights advocacy organization. It published an open letter to universities “that may feel a similar hesitation on the topic of online anonymity and privacy.”

“The demonization of technology because of a few bad actors is a dangerous path,” the letter reads, linking to an entry about the Silk Road case. “Conversations about online privacy and security should be encouraged, and never silenced. The more that students understand how security threats function and the myriad ways they can protect their communications and identity, the less vulnerable they are to cybercrime or unwanted surveillance.”